Versions Compared

Old Version 10

changes.mady.by.user Former user

Saved on

compared with

New Version 11

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Users need access tokens to invoke APIs subscribed under an application. Access tokens are passed in the HTTP header when invoking APIs. The API Cloud provides a Token API that you can use to generate and renew user and application access tokens. The response of the Token API is a JSON message. You extract the token from the JSON and pass it with an HTTP Authorization header to access the API.

The following topic explain explains how to generate/renew access tokens and authorize them. WSO2 API Cloud supports the four most common authorization grant types and you can also define additional types.

Child pages (Children Display)

Also, see the following: 

Table of Contents

...

After an access token is generated, sometimes you might have to refresh or renew the old token due to expiration or security concerns. This can be done by issuing a REST call to the Token API through a REST client like cURL, with the following parameters.

  • The Token API URL is   https://gateway.api.cloud.wso2.com:8243/token.
  • payload - "grant_type=refresh_token&refresh_token=<retoken>&scope=PRODUCTION". Replace the <retoken> value with the refresh token generated in the previous sectionthat you generate through the UI.
  • headers - Authorization :Basic <base64 encoded string>, Content-Type: application/x-www-form-urlencoded. Replace <base64 encoded string> as appropriate.          

...

Code Block
curl -k -d "grant_type=refresh_token&refresh_token=<retoken>&scope=PRODUCTION" -H "Authorization: Basic SVpzSWk2SERiQjVlOFZLZFpBblVpX2ZaM2Y4YTpHbTBiSjZvV1Y4ZkM1T1FMTGxDNmpzbEFDVzhh, Content-Type: application/x-www-form-urlencoded" https://gateway.api.cloud.wso2.com:8243/token

The REST message will grant a renewed token.

...

After issuing an access token, a user or an admin can revoke it in case of theft or a security violation. You can do this by calling the Revoke API using a REST Client. The Revoke API's endpoint URL is https://gateway.api.cloud.wso2.com:8243/revoke. The parameters required to invoke this API are as follows:

...

For example, curl -k -d "token=<ACCESS_TOKEN_TO_BE_REVOKED>" -H "Authorization: Basic Base64Encoded(Consumer key:consumer secret)" https://gateway.api.cloud.wso2.com:8243/revoke.

Tip
When the API Gateway cache is enabled (it is enabled by default), even Even after revoking a token, it might still be available in the API Gateway cache to consumers until the cache expires in approximately 15 minutes.